The purpose of this policy is to ensure that the RowanSOM complies with the Federal Trade Commission’s (FTC) Identity Theft Rules under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT Act). These regulations are also known as the Red Flags Rule. Under this policy, RowanSOM shall design a program to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. This program shall mitigate the risks associated with identity theft and mitigate the effects of identity theft on RowanSOM, its employees, its students, its patients, its constituents and its customers. This policy also addresses the administration of Perkins Loans, Institutional Loans and the provision of an extended tuition payment plan.
Under the direction of the Dean, the Clinical Dean for Academic and Clinical Affairs, the General Counsel and the Chief Audit, Compliance & Privacy Officer shall ensure compliance with this policy. The Dean, and Chief Operating Officer of RowanSOM shall implement this policy.
This policy applies to the schools and units of RowanSOM, to the RowanSOM Community which includes RowanSOM management, faculty, and other academic personnel, clinical staff, researchers, employees, contractors, agents and others associated with or supporting RowanSOM.
Account: a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes:
An extension of credit, such as services involving a deferred payment, e.g. patient accounts, Perkins Loans and Institutional Loans; and
A deposit account.
Covered Account: the Red Flags Regulations define the term “covered account” to mean:
“an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions” and
“any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers, or to the safety and soundness of the financial institution, or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
For the purposes of the RowanSOM’s Identity Theft Program, the term “covered account” is extended to include any RowanSOM account or database (financially based or otherwise) for which RowanSOM believes there is a reasonably foreseeable risk to the RowanSOM, faculty, staff, patients, constituents or customers from identity theft.
Credit: the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.
V. REFERENCES
This policy outlines the Identify Theft Prevention Program of RowanSOM which encompasses not only financial or credit accounts, but any RowanSOM account or database for which RowanSOM believes there is a reasonably foreseeable risk to RowanSOM, faculty, staff, patients, constituents or customers from identity theft.
RowanSOM will implement and maintain an Identify Theft Prevention Program to assure compliance with federal law and RowanSOM policies preventing, detecting and mitigating possible identity theft of its patients, customers, clients and its constituents.
All RowanSOM employees and individuals working on behalf of RowanSOM in any capacity (including Board members, medical staff, business associates, independent contractors, and volunteers) will conduct themselves and their activities in a manner so as to protect the sensitive information, such as personal identifying information that may be used to defraud or aid identity theft as required by federal law and in conformance with RowanSOM policies.
Attachment A: FTC’s Examples of Red Flags
Attachment B: Identity Theft Red Flag and Security Incident Reporting Procedure
Attachment C: Identity Alert Form
Attachment D: Sample Letter Regarding Patient Misidentification
Attachment E: Sample Letter Regarding Identity Theft
Attachment F: Sample Letter Regarding Identity Theft Report
RISK FACTORS | BILLING UNIT | Practice | |
1. | Computer network intrusion | ||
2. | Hospital-based providers – data compromise by hospital employee | ||
3. | Hospital-based providers – data compromise by company employee | ||
4. | Practice – billing company data transfer – PAPER | ||
5. | Practice – billing company data transfer – ELECTRONIC | ||
6. | Billing company – practice data transfer – PAPER | ||
7. | Billing company – practice data transfer – ELECTRONIC | ||
8. | Patient credit card payments – employee theft of credit card information | ||
9. | Practice paper records (in practice office) – mishandled or stolen [may also be a HIPAA violation] | ||
10. | Practice paper records (billing company office) – mishandled or stolen [see above] | ||
11. | Patient telephone inquiry to practice – alleges services not theirs, provider unknown, etc. | ||
12. | Patient telephone inquiry to billing company – alleges services not theirs, provider unknown, etc. | ||
13. | Insurer inquiry to practice – insured address does not match their records | ||
14. | Insurer inquiry to billing company – insured address does not match their records | ||
15. | Patient statements – mail interception and/or theft reported | ||
16. | Mail to patient returned to the practice – “Addressee Unknown,” etc. | ||
17. | Mail to patient returned to the billing company – “Addressee Unknown,” etc. | ||
18. | Patient / Guarantor denies receipt of monthly statements/correspondence | ||
19. | Collection agency reports inconsistencies in address, SSN, phone #, employment, etc. | ||
20. | Patient and/or Guarantor SSN is already on file – under another name(s) | ||
21. | Patient and/or Guarantor phone number(s) match others on file @ different addresses | ||
22. | Calls to home phone number(s) supplied are answered by “wrong number” responses | ||
23. | Patient or Guarantor calls to report their identity has been compromised | ||
24. | Contact from Credit Bureau(s) about a patient who has reported identity theft | ||
25. | Contact from USPS Inspectors or the USPS OIG regarding identity theft | ||
26. | Suspicious activity within an on-line payment portal – hosted by the practice | ||
27. | Suspicious activity within an on-line payment portal – hosted by the billing company or vendor | ||
28. | Credit card / debit card payments are denied or voided due to identity discrepancies |
This form should be completed by the hospital or other facility personnel when the identity of a patient is questioned, either because of identity theft or patient misidentification.
Form completed by: ______________________________________
Date/Time: ______________________________________
Title: ______________________________________
Department: ______________________________________
Patient presented to facility using the following information:
Name: _______________________________________
Phone: _______________________________________
Address: _______________________________________
_______________________________________
SS#: _______________________________________
DOB: _______________________________________
Date/ Time: _______________________________________
Presenting Complaint:
Existing MR # Used: ________________ New MR #: ___________________ I Created: ___________________________
Account No. Assigned: ___________________________________ Consent Form Signature: ________________________
Insurance Information Presented (specify if Medicaid, Medicare, or other governmental programs):_____________________
Was the health information of any other patient provided to this individual? Does the hospital/facility need to account for the disclosures.
Name of “other” patient: ________________________________________________________________________________
Other information (who discovered discrepancy; was Security called, was photo secured, etc.):
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
List all involved staff members: ____________________________________________________________________________
Based on investigation, the correct patient is:
Name: ________________________________________________ Phone: _________________________________________
Address:
SS#: ___________________________________DOB: ____________
Reason: _______________________________________________________________________________________________
______________________________________________________________________________________________________
______________________________________________________________________________________________________
PLEASE ATTACH A COPY OF THE RELEVANT PHOTO ID AND FORWARD THE COMPLETED FORM TO THE FACILITY’S PRIVACY OFFICER; REGISTRATION DIRECTOR; SECURITY DIRECTOR; PATIENT ACCOUNT DIRECTOR; AND THE COMPLIANCE OFFICER.
[Date]
[Patient Name]
[Patient Address]
[Patient Address]
Dear [Mr. ___/ Ms. ____]:
This letter is [to inform you of / in response to your report of] an erroneous use of your name or identifying information at [Name of entity] (“Entity”) and to provide you with information to assist you in preventing this incident from affecting your medical care.
[Explain factual situation and describe how records became commingled.]
The integrity of your medical record is very important, and your record should only reflect your health history and medical items services provided to you. For example, if the blood type is of another person is listed in your record, you could be given the wrong type of blood in an emergency. Therefore, for your health and safety, it is very important that your medical records do not contain information about another person. We request your assistance in ensuring that our records about you are correct.
We have removed from your medical record information relating to care given on ________________________________ because [we have determined/you have indicated] you did not receive services at this hospital/site on those dates. After removing that information, your medical record shows the following visits:
Date of Visit Reason for Visit
[insert]
If someone other than you made any of the above visits, or you do not remember one or more of these visits, please contact us immediately. You can review your entire medical record by visiting this facility’s Medical Records Department, and we encourage you to do so. In addition to making sure your medical record with this facility is accurate, we also encourage you to check the accuracy of your records with other health care providers and your health insurance plan(s).
[Based on the information we have received relating to the use of your name and other identifying information on ___________________________, this facility will not bill you or your insurer for the services it provided on ______________________. We are in the process of correcting your account with your health insurer. If you receive a bill or insurance statement relating to a visit to this facility by someone other than you, please let us know as soon as possible.] We also recommend that you carefully monitor explanations of benefits (EOBs) received from your health insurer. If you receive an EOB or bill for health care you do not remember obtaining, immediately contact your insurer and the health care provider who furnished the services.
We hope this letter is helpful. If there is any other way the entity can assist you, or should you have any questions, please do not hesitate to contact me.
Sincerely,
______________________________
Privacy Officer
[Facility]
[Telephone number]
[Date]
BY CERTIFIED MAIL, RETURN RECEIPT REQUESTED
[Patient Name]
[Patient Address]
[Patient Address]
Re: Suspected Identity Theft
Dear ____________________:
This letter addresses the unauthorized use of your name and other personal information at _____________ on ___________________________. [Explain factual situation and describe compromise of information in detail (e.g., how it happened; information disclosed; what actions have been taken to remedy situation, etc.). Include the statement that, “We have reported this incident to _____________ (name law enforcement officer) at the ____ [local law enforcement agency], who can be reached at ______. We also have placed an alert on your account at this facility in an effort to prevent further misuse of your identity.”]
“Medical identity theft” is very serious because, in addition to causing financial problems, identity theft can lead to inappropriate care when incorrect information is included in a patient’s medical record. For example, if the blood type of a person who misused your health insurance information is listed in your record, you could be given the wrong type of blood in an emergency. If you believe you are the victim of medical identity theft, you should ask to review and make appropriate corrections to your medical record so that you receive appropriate care. Therefore, for your health and safety, it is very important that your medical records do not contain information about another person. We request your assistance in ensuring that our records about you are correct.
We have removed from your medical record information relating to care given on ________________________________ because [we have determined/you have indicated] you did not receive services at this facility on those dates. After removing that information, your medical record shows the following visits:
Date of Visit Reason for Visit
[insert]
If someone other than you made any of the above visits, or you do not remember one or more of these visits, please contact us immediately. You can review your entire medical record by visiting this facility’s Medical Records Department, and we encourage you to do so. In addition to making sure your medical record with this facility is accurate, we also encourage you to check the accuracy of your records with other health care providers and your health insurance plan(s).
[Based on the information we have received relating to the improper use of your name and other identifying information on ___________________________, this facility will not bill you or your insurer for the services it provided on ______________________. We are in the process of correcting your account with your health insurer. If you receive a bill or insurance statement relating to a visit to this facility by someone other than you, please let us know as soon as possible.] We also recommend that you carefully monitor explanations of benefits (EOBs) received from your health insurer to determine if any other person has used your identity to obtain health care. If you receive an EOB or bill for health care you do not remember obtaining, immediately contact your insurer and the health care provider who furnished the services.
Given the possibility that your personal information may be further misused, we recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you and verify your identity before they open any new accounts or change existing accounts. You can call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review.
Equifax Experian TransUnionCorp
800-525-6285 888-397-3742 800-680-7289
Even if you do not find any suspicious activity on your initial credit reports, you should continue monitoring your credit reports carefully to be certain there have been no unauthorized transactions made or new accounts opened in your name. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly. You are entitled under federal law to get one free comprehensive disclosure of all the information in your credit file from each of the three national credit bureaus listed about once every twelve months. You may request your free annual credit report by visiting http://AnnualCreditReport.com or by calling (877)FACTACT.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, immediately notify the credit bureaus. If you believe an unauthorized account has been opened in your name, immediately contact the financial institution that holds the account. You should also file a police report. Ask for a copy of the police report because many creditors want the information it contains to absolve you of the fraudulent debts. You should also file a complaint with the FTC at www.consumer.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. You may want to visit the FTC’s website at http://www.ftc.gov/bcp/edu/microsites/idtheft/, which has information to help individuals guard against and deal with identity theft, and you may want to review the information in the FTC’s publication, “Take Charge: Fighting Back Against Identity Theft.” You can call 1-877-438-4338 to request a free copy.
We encourage you to report any helpful information to ________ [investigating law enforcement officer] at the ____ [local law enforcement agency]. We also encourage you to alert other area hospitals and health care providers that your identifying information is being used in a fraudulent manner. If we can be of further assistance, please contact me at the number listed below.
Sincerely,
______________________________
Unit Designee
[Facility]
[Telephone number]
[Date]
[Patient Name]
[Patient Address]
[Patient Address]
Re: Identity Theft Report Made on_______________ [date]
RESPONSE REQUIRED
Dear ____________________:
This letter responds to your report that a person used your name, insurance information, or other personal information to obtain health care items or services at this facility. Please follow the instructions in this letter so that we can help you address this problem.
After reading the instructions for the enclosed Identity Theft Affidavit, complete the Identity Theft Affidavit (also available at http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf), including all details of the identity theft incident that you know. Make copies of the required documentation (e.g., photo identification; police report regarding the incident, etc.) and attach them to your affidavit. Sign the affidavit, then, have the affidavit notarized or witnessed by two people who are not members of your family. Return the completed signed affidavit and accompanying documentation to this office within two weeks from the date of this letter so this facility can take the necessary steps to correct your medical record and patient account.
“Medical identity theft” is very serious because, in addition to causing financial problems, identity theft can lead to inappropriate care when incorrect information is included in a patient’s medical record. For example, if the blood type of a person who misused your information is listed in your record, you could be given the wrong type of blood in an emergency. Once we receive your completed and signed affidavit, and appropriate supporting documentation, our Health Information Management and Patient Accounts office will work with you to make necessary corrections to your medical record and patient accounts. In the meantime, should you need to visit this facility or any other health care provider, you should let the provider know that the information in your medical record may be incorrect because your identity has been used to obtain health care items or services fraudulently.
We encourage you to alert other area hospitals and health care providers that your identifying information is being used in a fraudulent manner because identity thieves often obtain services and items from more than one health care provider. You may also want to visit the FTC’s website at http://www.ftc.gov/bcp/edu/microsites/idtheft/, which has information to help individuals guard against and deal with identity theft, and you may want to review the information in the FTC’s publication, “Take Charge: Fighting Back Against Identity Theft.” You can call 1-877-438-4338 to request a free copy.
Sincerely,
_________________
_________________
Enclosure (FTC Identity Theft Affidavit)